T-Trace: Constructing the APTs Provenance Graphs Through Multiple Syslogs Correlation

Abstract

Advanced Persistent Threats (APTs) employ sophisticated and covert tactics to infiltrate target systems, leading to increased vulnerability and an elevated risk of exposure. Consequently, it is essential for us to proactively create an extensive and clearly outlined attack chain for APTs in order to effectively combat these threats. Unlike traditional malware or application threats, APTs can sidestep cyber security efforts and cause severe damage to organizations or even state security. Nonetheless, earlier methods struggle to accurately track APTs and may face a dependency explosion issue, as identifying the intricate and complex unknown malicious activities within APTs proves to be challenging. In this paper, we propose and build an approach, T-trace, which constructs the events provenance graphs by analyzing the correlations among logs. The approach precisely finds the log communities with tensor decomposition and calculates significance scores to extract the events. The APTs can be inferred by discovering the event communities and constructing the provenance graph with log correlation. In the experiment, we used DARPA data sets and launched four current practical APTs. Compared with current approaches, the results show that T-trace can efficiently reduce time cost by 90% and achieve a 92% accuracy rate in constructing the provenance graph, which can be practically applied in APTs provenance.